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Abstract. In separation logic program analyses, tractability is generally achieved 
by restricting invariants to a finite abstract domain. As this domain cannot vary, 
loss of information can cause failure even when verification is possible in the un¬ 
derlying logic. In this paper, we propose a CEGAR-like method for detecting spu¬ 
rious failures and avoiding them by refining the abstract domain. Our approach 
is geared towards discovering existential properties, e.g. “list contains value x”. 
To diagnose failures, we use abduction, a technique for inferring command pre¬ 
conditions. Our method works backwards from an error, identifying necessary 
information lost by abstraction, and refining the forward analysis to avoid the 
error. We define domains for several classes of existential properties, and show 
their effectiveness on case studies adapted from Redis, Azureus and FreeRTOS. 


1 Introduction 

Abstraction is often needed to automatically prove safety properties of programs, but 
finding the right abstraction can be difficult. Techniques based on CEGAR (Counter- 
Example-Guided Abstraction Refinement) 0111201 can automatically synthesise an ab¬ 
straction that is sufficient for proving a given property. Particularly successful has been 
the application of CEGAR to predicate abstraction iia, enabling automated verifica¬ 
tion of a wide range of (primarily control-flow driven) safety properties 01181190 . 

Meanwhile, separation logic has emerged as a useful domain for verifying shape- 
based safety properties 02I3I7I14I260 . Its success stems from its ability to composition- 
ally represent heap operations. The domain of separation logic formulae is infinite, so 
to ensure termination, program analyses abstract them by applying a function with a 
finite codomain El. Although this approach has proved effective in practice, it does 
not provide a means to recover from spurious errors caused by over-abstraction. 

This paper proposes a method for automated tuning of abstractions in separation 
logic analyses. Instead of a single abstraction, our method works with families of ab¬ 
stractions parameterised by multisets, searching for a parameter that makes the analysis 
succeed. Expanding the multiset refines the abstraction, i.e. makes it more precise. 

Our method uses a forward analysis that computes a fixpoint using the current pa¬ 
rameterised abstraction, and a backward analysis that refines this abstraction by ex¬ 
panding the multiset parameter. To identify the cause of the error and propagate that 
information backwards along the counter-examples, we use abduction, a technique for 
calculating sufficient preconditions of program commands Q. We use the difference in 








symbolic states generated during forward and backward analysis to select new elements 
to add to the multiset. 

Our approach focuses on existential properties, where we need to track some ele¬ 
ments of a data structure more precisely than the others. For example, we define the 
domain of “lists containing at least particular values” (where the multiset parameter 
specifies the values). In general, our approach works well for similar existential prop¬ 
erties, e.g. “lists containing a particular subsequence”. Existential properties arise e.g. 
when verifying that key-value stores preserve values, or in structures that depend on 
sentinel nodes. 

Our approach is complementary to standard separation logic shape analyses. It adds 
a new tool to the analysis toolbox, but it is not a general abstraction-refinement solution. 
In particular, universal properties such as “all list nodes contain a particular value” are 
not handled. This is a result of our analysis structure: when forward analysis fails, we 
look for portions of the symbolic state sufficient to avoid the fault, and seek to protect 
them from abstraction. This is intrinsically an existential process. 

1.1 Related Work 

As in Berdine et al. II we wish to automate the process of ‘tweaking’ shape abstrac¬ 
tions. In in, abstract counter-examples are passed to a SMT solver, which produces 
concrete counter-example traces. These traces determine so-called doomed states, con¬ 
ceptually the same as those singled out for refinement by our procedure. An advantage 
of our approach is that we use information from the failed proof to inform the abstrac¬ 
tion refinement step, rather than exhaustively trying possible refinements as in H. This 
aside, the two approaches are largely complementary: 111 focuses on discovering shape 
refinements, while our work focuses on data properties. 

Our approach operates lazily, but in contrast to lazy abstraction CSl, we do not re¬ 
compute the abstract post operator each time we refine the abstraction. The intermediate 
formulae we compute during backward analysis can be seen as interpolants 1221 . but 
rather than taking these directly for refining the abstraction, we use them to select new 
parameters which have the effect of refining the abstraction. Such automatic discovery 
of parameters for parameterised domains is similar to Naik et al. l23], however, instead 
of analyzing concrete tests, we analyze abstract counter-examples. 

Our notion of an abstraction function is similar to widening ifT^ . However, refin¬ 
ing the abstraction with the least upper bound (as Gulavani and Rajamani ini) would 
not converge due to the presence of recursive data structures. Q gives a widening for 
shape domains, but this widening does not account for data, nor explicitly track exis¬ 
tential properties. Refinement with an interpolated widen ITbl . while similar to ours, is 
also not applicable as we do not work in a complete lattice that is closed under Craig 
interpolation. Shape analyses such as TVLA 1^ have been adapted for abstraction re¬ 
finement Em\ , however, we believe these approaches could not automatically handle 
verification of existential properties such as those in ^ 

The refinement process in our approach assumes a parameterised domain of sym¬ 
bolic heaps which can be refined by augmenting the multiset of parameters. Compared 
to predicate abstraction, where the abstract domain is constructed and refined automat¬ 
ically, in our approach we first have to hand-craft a parameterised domain. In part this 
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Fig. 1. Left: running example. Right: associated control-flow graph. Nodes where abstraction 
occurs are shaded. 


reflects the intrinsic complexity of shape properties compared to properties verifiable 
by standard predicate abstraction. 

Several authors have experimented with separation logic domains recording exis¬ 
tential information about stored data, e.g. II25I10I . Some of these domains could be 
formulated in our multiset-parametric approach, and vice versa. However, our work 
differs in that we focus on automating the process of refining the abstraction. 

2 Intuitive Description of Our Approach 

We now illustrate how over-abstraction can cause traditional separation-logic analy¬ 
ses to fail, and how our approach recovers from such failures. Our running example, 
given in Figure [T] is a simple instance of the pattern where a value is inserted into an 
pre-existing data-structure, the data-structure is further modified, and the program then 
assumes the continued presence of the inserted value. Our code first constructs a linked 
list of arbitrary length (we use for non-deterministic choice). It picks an arbitrary 
value for x, and creates a node storing this value. It extends the list with arbitrarily more 
nodes. Finally, it searches for the node storing x and faults if it is absent. 

Suppose our abstract domain consists of the predicates emp, representing the empty 
heap, node(a:, y, d), representing a linked list node at address x with next pointer y and 
data contents d, and list(a;,t/), representing a non-empty list segment of unrestricted 
length starting at address x and ending with a pointer to y. Nodes and list segments are 
related by the following recursive definition: 

list(a:,t/) = node(a;, j/, d') V (node(x, n', d') * list(n', 2 /)) 
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(Primed variables—a;', y', etc.—indicate logical variables that are existentially quanti¬ 
fied). A traditional analysis, e.g. US, starts with the pre-condition emp and propagates 
symbolic states over the control-flow graph (right of Fig. [^. Consider the execution of 
the program that adds a single node in the first while loop (node ^i) then adds x to the 
list, skips the second loop, and then searches for x (node Zg). Following the two list 
insertions (node Z 5 ) we obtain symbolic state 

node(r,r^x) * node(r', nil, d') 

As is typical, assume the analysis applies the following abstraction step; 

node(r,r',x) * node(r',ni \,d') list(r, nil) 

That is, it forgets list length and data values once there are two nodes in the list. At the 
head of the third while-loop (node Zg) it unfolds list(r, nil) back to the single-node case, 
yielding node(r, nil, x'). Since this state is too weak to show that x = x', the path where 
res is not set to 1 appears feasible, and the analysis cannot prove assert (res==l). 

Our solution. The analysis has failed spuriously because it has abstracted away the 
existence of the node containing x. We cannot remove abstraction entirely, and we 
also cannot pick a tailored abstraction a priori, because the appropriate abstraction is 
sensitive to the target program and the required safety property. Instead, we work with a 
parameterised/amZZy of abstractions. Starting with the coarsest abstraction, we modify 
its parameters based on spurious failures, automatically tailoring the abstraction to the 
property we want to prove. 

For our example, we augment the domain with a family of predicates list(_, _, {d}), 
representing a list where at least one node holds the value d (this domain is defined in 
Q. Upon failing to prove the program, our backwards analysis looks for extensions of 
symbolic states that would satisfy assert (res==l), and so avoid failure. Techni¬ 
cally, this is achieved by posing successive abduction queries along the counter-example 
path. If an extension is found, then the difference between the formulae from forward 
and backward analysis identifies the cause of the spurious failure. In our example, the 
analysis infers that the failure was due to the abstraction of the node storing x. We refine 
the abstraction so nodes containing x are rewritten to list(_, _, {x}), “remembering” the 
existence of x. This suffices to prove the program correct. 

3 Analysis Structure 

Symbolic heaps. A symbolic heap Z\ is a formula of the form U A S where 7T (the 
pure part) and E (the spatial part) are defined by: 

n ::= true | false | e = e | e ^ e | p{e) | iT A 7T 
E ::= emp | s(e) \ E * E 

Here e ranges over (heap-independent) expressions (built over program and logical 
variables), p{e) over pure predicates and s(e) over spatial predicates. Logical variables 
are (implicitly) existentially quantified; the set of all such variables in A is denoted by 
EVars(Z\). Ei * E 2 holds if the state can be split into two parts with disjoint domains, 
one satisfying Ei and the other A’ 2 . A disjunctive symbolic heap is obtained by com¬ 
bining symbolic heaps (both the pure and spatial part) with disjunction. We identify a 
disjunctive heap with the set of its disjuncts, and also denote such heaps with A. The 
set of all consistent symbolic (resp. disjunctive) heaps is denoted by SH (resp. 7^(SH)). 
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Abstract domain. Our abstract domain is the join-semilattice (7^(SH)^, h, U, T), where 
7^(SH)^ = 'P(SH) U {T}, the partial order is given by the entailment relation h, the 
join U is disjunction, and the top element, T, represents error. 

We assume a sound theorem prover that can deal with entailments between symbolic 
heaps, frame inference, and abduction queries (square brackets denote the computed 
portion of the entailment); 

- Z\i h Z \2 * [^J’] (frame inference): given Ai and Z\ 2 , find the frame Ap such that 
Z\i h Z \2 * Ap holds; 

- Ai * [Aa] k Z \2 (abduction): given Ai and A2, find the ‘missing’ assumption Aa 
such that Ai * Aa k A 2 holds. 


Specifications and programs. We assume that each atomic command c € Cmd is asso¬ 
ciated with a specification {P} c {Q}, consisting of a precondition P and a postcondi¬ 
tion Q in SH (in fact, our case studies use specifications expressed by using points-to 
and (dis)equalities only). We define assume(e) = {true} (ej and assert(e) = {e} {e}. 
Specifications are interpreted using standard partial correctness: {PjcjQ} holds iff 
when executing c from a state satisfying P, c does not fault, and if it terminates then 
the resulting state satisfies Q. As is standard in separation logic, we also assume speci¬ 
fications are tight: c will not access any resources outside of the ones described in P. 

We represent programs using a variant of intra-procedural control-flow graphs im 
over the set of atomic commands Cmd. A CFG consists of a set of nodes N containing 
distinguished starting and ending nodes start, end G N, and functions, succ: N — 
P(N) and cmd: N X N ^ Cmd, representing node successors and edge labels. All 
nodes either have a single successor, or all outgoing edges are labelled with command 
assume(e) for the condition e that must hold for that edge to be taken. 


Forward and backward transfer. We define the abstract forward semantics of each 
atomic command c by a function |c]: SH P(SH)^. The function |c], fusing to¬ 
gether rearrangement (materialisation) and symbolic execution 024I2I13I7I . is defined 
using the frame rule, which allows any triple jP} c{Q} to be extended by an arbitrary 
frame Ap that is not modified by c: 


W(/i) = 


JT if $Af-A h P*Ap 

\ {Q * Ap I Z\ h P * Ap} otherwise. 


When there is no Ap such that Z\ h P * Ap, the current heap A does not satisfy the 
precondition P of the command, and so execution may result in an error. We assume 
that the prover Alters out inconsistent heaps. Lifting disjunctions to sets on the left-hand 
side is justified by the disjunction rule of Hoare logic. We lift |c] to a forward transfer 
function P(SH)^ —^ P(SH)^ by mapping T to T and a set of symbolic heaps to the 
join of their |c]-images. 

We use abduction to transfer symbolic heaps backwards: given a specification jP} c{Q} 
and disjunctive symbolic heap A, if Aa is such that Q * Aa F A then (P * Aa} c{A}, 
i.e., we can “push” A backwards over c to obtain P * Aa as a pre-state. This gives rise 
to a backward transfer function |c]^: P(SH) —>■ P(SH) defined by: 

|c]^(Z\) = choose{{P * Aa \ Q * Aa F Z\}) 
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The heuristic function choose{—) selects a ‘good’ abduction solution (there can be 
many, e.g. a trivial one, false). For some fragments best solutions are possible; e.g. 
the disjunctive points-to fragment with (dis)equalities Q, a variation of which we 
use in our backward analysis. Along assume-edges we have |assume(e)]^(Z\) = 
wp(assume(e), Z\) = -le V Z\. 

3.1 Forward Analysis, Abstraction Function, and Parametricity 

Forward analysis attempts to compute an inductive invariant N —> 7^(SH)^. It gradually 
weakens the strongest property by propagating symbolic heaps along CFG edges using 
the forward transfer, and joining the obtained |c]-images at each CFG node. Since our 
abstract domain is infinite, and transfer functions are not necessarily monotone, forward 
propagation alone may not reach a fixpoint, or even converge towards one. 

We call a pair (SH, abs) an analysis. To ensure termination, propagated symbolic 
heaps are abstracted into a finite set, and the propagation process is made inflation- 
aryn Abstraction is realised by a function abs; SH -> CSH whose codomain is a fi¬ 
nite subset CSH of SH. At each step, abs replaces the propagated symbolic heap with 
a logically weaker one in CSH U {T}. We require abs to be inflationary, i.e., that it 
soundly over-approximates symbolic heaps with respect to h. Making the propagation 
inflationary means that instead of computing the (least) fixed-point of the functional 
<?; (N —>• 7^(SH)^) ^ (N —>• 7^(SH)^), we compute the inflationary fixed-point of the 
functional A i—)■ X U ^(A). 

Definition 1 (analysis comparison). Let abs; SH —> CSH and abs'; SH —> CSH' be 
abstraction functions. We say that abs refines abs, written abs ^ abs, if CSH C CSH^ 
and for every A € SH, abs'(Z\) h abs(Z\). We say that (SH, abs') is more precise than 
(SH,abs) if ahs A abs'. 

In §3.2| and fQwe introduce families of analyses whose abstraction functions are 
parameterised by a multiset (such analyses are parametric in the sense of 112^ 1. For any 
such family (SH, abssjgg^, where is some family of multisets and abs 5 ; SH 
CSHs, we require that if S' C S" then abss ^ absg/. 


3.2 Forward-Backward Abstraction Refinement Algorithm 

We now define an intra-procedural version of our analysis formally (we believe it could 
be made inter-procedural without difficulty - see (J^. Let (SH, abssjsg^vt be a family 
of analyses parameterised by a multiset. Our method for abstraction refinement starts 
with the analysis (SH, abs 0 ), and iteratively refines the abstraction by adding terms to 
the multiset S. The goal is to eventually obtain S such that using the analysis (SH, ahss) 
we can compute a sufficient inductive invariant. 


Forward analysis. Algorithm [T] shows a forward analysis from (3.1 extended with ab¬ 
straction refinement. The algorithm computes a fixpoint by constructing an abstract 
reachability tree (ART). An ART is a tree T = {T, E, Iq) C ART where T is the set of 
nodes, E the set of edges and fg the root node. We write Ej- to refer to the set of edges 


■ A function /: (A, C) —>■ (A, C) is inflationary if for every a, we have a C /(a). 
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1 S := 0; to ;= (start, emp); k ■— 0; Er = 0; T = ({to}, Er, to); 

2 while nodes_atr(fc) / 0 do 

3 j foreach t = (n, A) £ nodes_atr(fc) do 

4 foreach n' £ succ(n) do 

5 T>' ~\zmA(n,n')\{A)\ 

6 if O' = T then 

7 Add (t, («.', T)) to O 7 -; 

8 fc, S' Refine((n', T), S'); 

9 Break to the outermost while-loop; 

10 else 

11 foreach Zi' £ O do 

12 Z\'b3 := abss(Z\'); 

13 if Zi' 1,5 2 invr(ti') then 

14 To\i := T; 

15 Add (t, (n',Z\'bJ) to Or; 

16 invr := inv^id K M> irivru (n') U Zl'bJ; 

17 fc ;= fc -I- 1; 


Algorithm 1: Forward analysis with abstraction refinement. 


associated with a particular ART T- Nodes in T are of the form (n, Z\) £ N x SH and 
represent the abstract states visited during the fixpoint computation. We use the follow¬ 
ing functions to deal with the ART; parentr: T \ {fg} —>^ T returning the unique 
parent of a node, depthr: T ^ Nq returning the length of the path from to to t, 
and nodes.atr: Nq —> 'P{T) returning the set of all nodes at the given depth. For 
T = (T, E, to) and T' = {T', E', t^), we write T C 7”' to indicate that T is a subtree 
of T', i.e., that T C T', and E C E', and to = fg. We write cmd(n,n') to repre¬ 
sent the command labelling the edge between nodes n and n' and spec(?T., v!) for the 
corresponding specification. 

The algorithm iteratively propagates !•]-images of previously-computed abstract 
states along CFG edges, applies abstraction if the result is consistent, and joins each 
newly computed state with the previously-computed states at the same node. We store 
the invariant computed at each step using a map inv: ART (N —> 7^(SH)^), reflect¬ 
ing the fact that the invariant at a control point can be recovered from the node labels of 
the ART. If we have nodes_at(fc) = 0 for the current depth k, then we have successfully 
computed an inductive invariant without reaching an error. 

Suppose at some point the transfer function returns T, i.e., the forward analysis 
fails to prove a property (e.g., a pure assertion or a memory safety pre-condition of 
a heap-manipulating command). This can happen due to either a true violation of the 
property, or a spurious error caused by losing too much information somewhere along 
the analysis. The algorithm then invokes Algorithm]^ Refine, to check for feasibility 
of the error and, if it is spurious, to refine the abstraction. 

Backward analysis. Algorithm Refine, operates by backward analysis of abstract 
counter-examples. Rather than using weakest preconditions as in CEGAR, Refine uses 
abduction to propagate formulae backwards along an abstract counter-example and 
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1 Refine(t^ : T, S: M): No x M 

2 begin 

3 

4 

5 

6 

7 

8 
9 

10 
11 
12 

13 

14 

15 

16 

17 

18 


k := depth(t ) — 1; 

tcurr ■= tprev ■= parent(t^); 

{P} _{_} := spec(iprev.n,tcurr.n); 

Solve iprev^ * [^a] 1 “ P * true; 

^prev ■” iprev-'^ * ■^Al 

•= iprevA; path^^^ := Z\p,^^; 

while k > Odo 

^curr •— ^prev? ^prev •— P^rePlt^^curr) 5 
^prev := [[cmd(tprev.n, t 


A' - A' • 

*curr • *prev5 


pathf„j := tc^„.A ■ path 
if tprev^ I- then 


curr-tl)| (Zip^rr); 
fwdi := Zicu 


pathb 


S ■- S\J SelectSymbols(pathf„j, pathb„d); 
Delete tcurr-subtree of T; 
return A: — 1, S; 
k ~ k — 1\ 
throw “error”; 


Algorithm 2: Backward analysis of counter-example by abduction. 


to : 

(start, emp) 

^8 

ti : 

(Zi, r = nil) 

tg 

t2 : 

{h, r = nil) 

tio 

ta : 

(Zi, node(r, nil, _)) 

til 

t4: 

(Zs, node(r, nil, _)) 

tl2 

tb : 

(Z4, node(r, nil, _)) 

tl3 

to : 

(Z5, list(r, nil)) 

tl4 

tr : 

(Z7, list(r, nil)) 



(is, list(r, nil) A t = r A res = 0) 

(ig, list(r, nil) A t = r A res = 0) 

(Zio, node(r, nil, d') A t = r A res = 0 A d = d') 

{1x2, node(r, nil, d') A t = r A res = 0Ad = d'Ad 7 ^x) 

{Is, node(r, nil, d') A t = nil A res = 0Ad = d'Ad 7 ^x) 
(/i 3 , node(r, nil, d') A t = nil A res = 0) 

(end, T) 


Fig. 2. Abstract counter-example for the running example 


check its feasibility. Once a point in the path is found where forward analysis agrees 
with the backward analysis, the mismatch between the symbolic heaps from forward 
and backward analyses is used to update the multiset S that determines the abstraction. 

Definition 2. An abstract counter-example is a sequence {no, Aq) ... {uk, Ak) with: 

- no = start and for all 0 < i < k, Ui G succ(ni_i); 

- Z\o = emp, for all 0 < i < k, Ai £ abss(|cmd(ni_i, ni)](Z\i_i)) and Ak = T. 

Figure shows the abstract counter-example for the error discussed in iQ This is the 
sequence of symbolic heaps computed by the analysis on its way to the error. This 
counter-example covers the case where the list contains just one node. The error results 
from over-abstraction, which has erased the information that this node contains the 
value 0 (this can be seen in the last non-error state, tif). 

Refine begins by finding a resource or pure assumption sufficient to avoid the ter¬ 
minal error in the counter-example. Let (no,zio) • ■ ■ {nk,~^) be an abstract counter¬ 
example withcmd(nfe_i,nfc) = {Pk}ck{Qk}- Since |cfc](zifc-i) = T, Ak-i misses 
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some assumption required to satisfy Pk- To find this. Refine solves the following ab¬ 
duction query (line|6l— here Aj.-i is a rearrangement of for example to expose 

particular memory cells: 

Ak-i * [Z\a] ^ Pk * true. 


The resulting symbolic heap Aa expresses resources or assumptions that, in combi¬ 
nation with Ak-i, suffice to guarantee successful execution of Cfc. If Aa is false then 
Ak-i * [Aa] is inconsistent; if this happens then the analysis will have to find a refine¬ 
ment under which {uk-i, Ak-i) can be proved to be unreachable. 

Letting := A^-i * Aa, Refine computes a sufficient resource for the pre¬ 

ceding state (linefTT]): 

^'k-2 ■= Icmd(nfe_2,nfc_i)]^(Z\;,_i). 


If Ak -2 1“ ^fc -2 thsn in the step from Ak -2 to Ak-i a loss of precision has hap¬ 
pened, and we use the additional information in A'i,_^ to refine the abstraction (line 
131. Otherwise, we continue pushing backwards, and generate A'f._^, A'f._^, etc. 

Eventually, Refine either halts with Ai h Z\' for some z > 0, or in the last step 
obtains Aq 1/ Z\q. In the former case. Refine invokes the procedure SelectSymbols, 
passing it the forward and the backward sequence of symbolic heaps leading to the error 
(line[T4|). The symbols it generates are added to the multiset S, refining the abstraction. 
In the latter case, we did not find a point for refining the abstraction, so Refine reports 
a (still possibly spurious) error (line 18 1 . Note that in this case the computed heap Aq 
is a sufficient pre-condition to avoid this particular abstract counter-example. 

If Refine calls SelectSymbols to update the abstraction, it discards the current node 
and all its descendants from the ART (line [TS] ). The ART below the refinement point 
will be recomputed in subsequent iterations using (possibly) stronger invariants. 


Theorem 1 (Soundness). If the algorithm terminates without throwing an error, the 
computed map invT- is an inductive invariant not containing T. 

Proof. Refinement in Alg.[2is achieved by augmenting S with new elements selected 
by SelectSymbols. Since abss ^ abss' for S C S', this is immediately sound. □ 


Refinement heuristic. SelectSymbols stands for some heuristic function which refines 
the abstraction. It takes two sequences, pathf^j and patht.^^: the former is a path taken 
by the forward analysis from the i-th node of the counter-example to the error node 
(such that Ai h Z\' in Alg. |^, while the latter is a path sufficient to avoid the error. 
SelectSymbols tries to identify symbols present in the error-avoiding path that have 
been lost in the forward, overly-abstracted path. Conceptually, SelectSymbols can be 
seen as a simpler analogue of the predicate discovery heuristics iniisi (it synthesizes 
only symbolic constants rather than predicates). 

The heuristic in our implementation works by examining the syntactic structure 
of formulae A and A' for which A \~ A' has been established. The heuristic starts 
by identifying congruence classes of terms occurring in both formulae and building a 
tree of equalities between program variables in each congruence class. Our separation 
logic prover preserves the common syntactic parts of A and A' by explicitly recording 
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substitutions, ensuring we can recover a mapping between common variables occurring 
in both formulae. The heuristic then exhaustively traverses equalities in the congruence 
classes for each term of Z\', and checks whether equalities can be used to strengthen A 
without making it inconsistent. Intuitively, because these equalities are mentioned in the 
calculated sufficient resource, they will likely be significant for program correctness. 
The variables in identified equalities are then used to strengthen the abstraction. We 
found this heuristic worked well in our case studies (see Q. 


Running example revisited. In ^we saw a spurious error caused by over-abstracting 
values in the list. To fix this, we augmented the domain with predicates list(_, {d}), 
representing a list that has at least one node with value d. We now show the refinement 
step in this domain. The backward analysis begins by solving the abduction query 

(node(r, nil, d') A x = d A t = nil A res = 0) * \A'.y^ h res = !*[_] 

This yields A'l^ = false as the only solution. The analysis then generates the following 
sequence of symbolic heaps (we omit some for brevity). Compare with the abstract 
counter example in Fig.|^ here Z\' corresponds to node ti): 

A '\2 = ("t 7 ^ nil A res = 0 A true) 

A'^q = ((d = X A true) V {t' 7 ^ nil A res = 0 A node(t,t\d^) * true)) 

Zlg = ((node(t, t', x) * true) V {t' 7 ^ nil A res = 0 A node(t, t', d!) * true)) 

Z\g = (((res 7 ^ 0 V t = nil) A true) V (node(t, x) * true) V 
{t' 7 ^ nil A res = 0 A node(t, d^) * true)) 

A'y = ((r = nil A true) V (node(r, x) * true) V {t' 7 ^ nil A node(r,d,d^) * true)) 

Zig = (r = t' A true) 

The algorithm stops at A'^, since A^ h A'^, and calls SelectSymbols to augment the 
abstraction. Our implementation looks for equalities in each Z\' that can be used to 
strengthen A. In this case, in A\q the heuristic identifies d = x to strengthen the cor¬ 
responding Z\io = node(r, nil,d') A t = r A res = 0 A d = d'. Thus the heuristic 
selects the variable x to augment the abstraction’s multiset. 

In the unrefined analysis, any predicate list(_, S) will be abstracted to list(_, 0) 
(equivalent to list(_, _)). Adding x to the multiset means that predicates of the form 
list(_, {x}) will be protected from abstraction. We restart the forward analysis from 
This time the error is avoided, and we obtain the following abstract states: 

tg = (( 5 ,list(r, nil,{x})) ... 

fg = (( 9 , list(r, nil, {x}) A t = r A res = 0) 

Executing from /g to (10 gives two possible post-states: node(r, r', d') * list(r', nil, {x}) A 
t = r A res = 0 A d = d' and node(r,r',x) * list(r', nil, 0) A t = r A res = 

0 A d = X. In fact, this refined abstraction suffices to prove the absence of errors on all 
paths, which completes the analysis. (Other examples may need multiple refinements) 
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case S'= 0: list(e,/, 0) = node(e,/, _) V (node(e, a;', _) * list(a:',/, 0)) 

caseS = {d}: list(e,/, {d}) = node(e,/, {d}) V (node(e, a:', {d}) * list(a;',/, 0)) 

V (node(e, a:', _) * list(a;',/, {d})) 

case |S| > 1, d £ S: list(e,/, S) = node(e, a:', {d}) * list(a;',/, S \ {d}) V 

node(e, a:',-) * list(a;',/, S) 

Fig. 3. Recursive definition of the list predicate in domain 


A A x' = e Zi[e/a;'] 


. mis 


A * a{x',e,S) A * true if a;' ^ EVars(z 3 ) 

A * cri(a:', y', _) * a2{y',x',S) A * true ifx',t/' ^ EVars(zi) 

A * cri(ei, a;', Si) * 0-2(0;', ea, Sa) A * list(ei, nil, pry(Si U S2, dl)) 

if x' ^ EVars(Z\, ei, 62) A Z\ h 62 = nil 


A * o-i(ei, ®', Si) * 

0-2(0;', 62, S2) * 0-3(63,/, S3) 


rrls /^list(ei,62, pry(Sl U S2,d7))\ 
^ V *Z\ * 0-3(63,/, Sa)/ 


if 0;' ^ EVars(Z\,6i,62,63,/) A Z\ h 62 = 63 
Z\ * list(6,/, S) -ly" list(6,/, pry(S, 77 )) 

Fig. 4. Abstract reduction system defining the abstraction function absy'^. (In the rules, 
a, (Ti range over {node, list}. The pure assumption 77 is supplied by the analysis.) 


4 Example Multiset-Parametric Analyses 

We describe in detail linked lists with value refinement and sketch two other multiset 
families; linked lists with address refinement, and sorted linked lists with value refine¬ 
ment. Details for the latter two can be found in Appendix All three families are 
experimentally evaluated in 

Linked lists with value refinement is domain used in our running example (fQ. 
List segments are instrumented with a multiset representing the lower bound on the 
frequency of each variable or constant. The abstraction function is parameterised by 
a multiset controlling which symbols are abstracted. By expanding the multiset, the 
preserved frequency bounds are increased, and so the abstraction is refined. 

The domain contains spatial predicates node(-, •, (dj) and list(-, •, S) for all 

5 and d G S. Here x, y are locations, d is a data value. S' is a multiset: 

- node(a:, y, {d}) holds if x points to a node whose next field contains y and data 
field contains d, i.e., node(a;, y, {d}) = x ^ (next: y, data : dj. 

- Iist(a:, y, S) holds if x points to the first node of a non-empty list segment that ends 
with y, and for each value d G dom(S), there are at least S(d) nodes that store d. 

The recursive definition of list in is shown in Fig.We use these equivalences 

as folding and unfolding rules when solving entailment queries in 

Abstraction. Let T be a finite multiset of program variables and constants. In Fig. 
we define a parametric reduction system which rewrites symbolic heaps from 
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to canonical heaps whose data and multiset values are congruent to elements of 
T. Except for the final rule, the relation resembles the abstraction for plain linked 
lists developed by Distefano et al. ini table 2], 

The final reduction rule replaces every predicate list(e, /, S) with the bounded pred¬ 
icate list(e, /, prj^(S', n)). The operator pr^^ extracts the maximal subset of S such that 
no element appears more frequently than it does in T (modulo given pure assumptions 
77). Let ~77 be the equivalence relation x y = U \- x = y. Fix a representative for 
each equivalence class of ^jj, and for a multiset S, denote hy S/n the multiset of ^jj- 
representatives where the multiplicity of a representative x is Writing 

X ■ n for a multiset element x occurring with multiplicity n, we define pr^ by 

prrp[S,n) = {x-n \ x-k'G S/n/\^d' -m' G T/n-n \-X = d'An = ,m')}. 

As has no infinite reduction sequences, it gives rise to an abstraction function 
absy'^ by exhaustively applying the rules until none apply. 

Lemma 1 (Finiteness). IfT is finite and there are only finitely many program variables 
then the domain CSH^'^ = {Z\ | Z\ 1/ false A A infinite. 

Lemma 2 (Soundness). As A implies A h A', abs^'^: SH is a 

sound abstraction function. 

Lemma 3 (Monotonicity). IfTi C T 2 then abs^l^^ A abslji^^. 


int remove(Node x) { 

. . . // (border cases) 
p = hd; c = p->next; 
while (c!=nil) { 
if (c==x) { 

p->next = c->next; 
return 1; 


4.1 Linked Lists with Address Refinement 

Rather than preserving certain values in the list, we 
might need to preserve nodes at particular addresses. 

For example, to remove a node from a linked list we 
might use the procedure shown on the right. Given 
pre-condition list(r, x) * node(x, n',_) * list(n',nil) 
the procedure will return 1. However, the standard 
list abstraction will forget the existence of the node 
pointed to by x, making this impossible to prove. 

To preserve information of this kind, we combine 
the domain of linked lists, with a multiset re- } 

finement that preserves particular addresses. Because node addresses are unique, the 
domain contains just list and node predicates, rather than predicates instrumented with 
multisets. The reduction system protects addresses in the multiset T from abstrac¬ 
tion. As before, refinement consists of adding new addresses to the multiset. 


} 

p = c; c 

} 

return 0; 


p->next; 


4.2 Sorted Linked Lists with Value Refinement 

We can apply the idea of value refinement to different basic domains, allowing us to deal 
with examples where different data-structure invariants are needed. In our third analysis 
family, we refine on the existence of particular values in a sorted list interval, rather 
than a simple segment. The domain contains the predicate list<, parameterised 
by an interval of the form [a, /?), which stores the bounds of the values in the list, and 
a multiset S, which bounds on the frequency of particular values in the interval. The 
abstraction function works in a similar way to the operator pr^ caps the 

frequency set S, limiting the number of values that are preserved by abstraction. 
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No Benchmark 

Result 

Dom 

|r| 

#Refn |ART| #Quer 

Set 







1 add(a;)-*-mem(a;) 

/ 

SHnils 

1 

1 

83 

162 

2 *-add(a:)-*^dei-mem(a:) 

/ 

SH"''= 

1 

1 

104 

193 

3 *^dei-mem(a;)-*-,a;-mem(a;) 

/ 

SHnils 

1 

1 

165 

280 

4 *add(a:)-all-equaLto_a; 

OO 






5 *add(a:)-all-Sorted 

T 

SHnils 





Multiset 







6 add(a:)-add(a;)-del( 2 :)-mem(x) 

/ 

SHmis 

2 

1 

67 

91 

7 *-add(x)-*^dei-mem(x) 

/ 

SHnilB 

1 

1 

112 

205 

8 *^dei-mem(a;)-*-,x-mem(a;) 

/ 


1 

1 

171 

312 

9 *-add(a:)-*^dei-add(a:)-*^dei-del(a:) 

l-mem(a:) / 

Sh-ib 

2 

2 

219 

458 

Map 







10 *-put(fc, i!)-*^fc-get(fe) 

/ 

SHHiIb 

1 

1 

118 

215 

11 *-rem(fc)-bound(fc) 

/ 

SHHiIb 

1 

1 

92 

168 

ByteBufferPool 







12 Property 1 

/ 

SH'-'" 

1 

1 

154 

231 

13 Property 2 

/ 

SH'’'" 

2 (1) 

1 

189 

270 

14 Property 3 

/ 


6 (2) 

4 

316 

511 

FreeRTOS list 







15 Property 4 

/ 

SHHiIb 

1 

1 

91 

158 

16 Property 5 

/ 


6 

5 

425 

971 


Table 1. Experimental Results. Benchmarks verified by the analysis are marked with /, those 
where it threw an error with T and those where it did not terminate with oo. Dom is the domain 
used for the analysis, |r| is the size of the multiset T after the final refinement (number in paren¬ 
theses denotes the size of the minimal sufficient T), #Refn is the no. of refinement steps, \ART\ 
the no. symbolic states in the final ART, and #Quer the no. queries sent to the proven 

5 Experimental Evaluation 

We implemented Algorithmand abstract domains and in the sepa¬ 

ration logic tool coreStar IQ. Aside from superficial tweaks, we used an identical algo¬ 
rithm and SelectSymbols heuristic for all of our case studies. We used client-oriented 
specifications m describing datastructures from Redis (a key-value store), Azureus (a 
BitTorrent client) and FreeRTOS (real time operating system). Table[2shows results. 

Set, Multiset and Map. These are synthetic benchmarks based on specifications for 
Redis im. They check various aspects of functional correctness—for example, that 
following deletion a key is no longer bound in the store. Furthermore, we check these 
specifications across dynamic updates which may modify the data structures involved— 
for example, by removing duplicate bindings to optimize for space usage. 

The Set and Multiset benchmarks apply operations add (add an element), del (delete 
an element) and mem (test for membership) to a list-based set (multiset, respectively) in 
the order indicated by the benchmark name. The symbols *, and *-, 3 , respectively 
denote applying all operations any number of times with any argument, all operations 
except del, and all operations but excluding x as an argument. For Map benchmarks 
the operations put (insert a key-value pair), get (retrieve a value for the given key), 
rem (remove a key with the associated value) and bound (check if the key is bound) 
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are to a list-based map. For benchmarks 1,2,6,7,9,10 the goal was to prove that the last 
operation returns true; for benchmark 11 that it returns false; and, for benchmarks 3 
and 8 that the two mem operations return the same value. Benchmark 4 illustrates a 
universal property that causes our analysis in Slf^'^ to loop forever by adding x to T 
at each refinement step. Benchmark 5 is a universal property for which our analysis in 
Slf^'^ fails to find an inductive invariant due to the ordering predicate (using on 
the same benchmark loops forever). 

ByteBufferPool. Azureus uses a pool of ByteBuffer objects to store results of network 
transfers. In early versions, free buffers in this pool were identified by setting the buffer 
position to a sentinel value. The ByteBufferPool benchmarks check properties of this 
pool. Property 1 checks that if the pool is full and a buffer is freed, that just-freed 
buffer is returned the next time a buffer is requested. Property 2 checks that if the pool 
has some number of free buffers, then no new buffers are allocated when a buffer is 
requested. Property 3 checks that if the pool has at least two free buffers, then two 
buffer requests can be serviced without allocating new buffers. 

FreeRTOS list. This is a sorted cyclic list with a sentinel node, used task management 
in the scheduler. The value of the sentinel marks the end of the list—for instance, on 
task insertion the list is traversed to find the right insertion point and the guard for that 
iteration is the sentinel value. To check correctness of the shape after insertion (Property 
4) it suffices to remember that the sentinel value is in the list. To check that tasks are 
also correctly sorted according to priorities (Property 5) we need to keep track of list 
sortedness and all possible priorities as splitting points. 

6 Conclusions and Limitations 

We have presented a CEGAR-like abstraction refinement scheme for separation logic 
analyses, aimed at refining existential properties of programs, in which we want to track 
some elements of a data structure more precisely than others. 

Our prototype tool is built on coreStar lO, and we expect our approach would com¬ 
bine well with other separation logic tools, e.g. II7I3L In particular, abduction is known 
to work well in an inter-procedural setting m and we thus believe our approach could 
be made inter-procedural without substantial further research. 

Minimizing incompleteness is more challenging, as without further assumptions Al¬ 
gorithm [T] might diverge, or fail to recognize a spurious counter-example as infeasible. 
If the forward transfer function is exact (i.e., returns the strongest post-condition) and 
the backward transfer function is precise (i.e., for any c and A, |c](|c]'^(Z\)) h A) 
then the algorithm makes progress relative to the refinement heuristic. Intuitively, if 
SelectSymbols always picks a symbol such that the refined abstraction rules out the 
spurious counter-example, then that counter-example will never reappear in subsequent 
iterations. However, we are skeptical that our current heuristic satisfies this condition. 
For a more formal discussion, see Appendix [A] 

Note that Berdine et al. ||4) similarly do not establish progress for their analysis. 
Predicate abstraction techniques that do not a priori fix the set of predicates have the 
same issue, as do interpolation-based procedures that do not constrain the language of 
acceptable interpolants. In both cases, the restrictions that ensure termination also limit 
the set of programs that can be proved correct. 
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A Relative Progress and Completeness 


Without further assumptions, the abstraction rehnement algorithm might diverge, or re¬ 
port a spurious counter-example which is in fact not feasible. The following idealised 
assumptions suffice to ensure progress and completeness (we are skeptical that condi¬ 
tion (c) holds for our current realisation of the analysis—see below). 

(a) The forward transfer function is exact (i.e., !•]-image is the strongest post-condition 
in the given abstract domain). 

(b) The backward transfer function is precise (so we are able to identify spurious 
counter-examples). Formally, for any c and A, we have |c](|c]^(Z\)) h A. 

(c) When called with a (pathf^j, path|j^j)-pair of the counter-example and the path 
sufficient to avoid the error, the procedure call SelectSymbols(pathf^„j, pathi^^^j) 
picks symbols A for augmenting S such that the spurious counter-example ending 
with pathf^„j is eliminated by the abstraction abssu,4- 

Alg. 0 then makes progress by ensuring that a counter-example, once eliminated, re¬ 
mains eliminated in all subsequent iterations. 

Theorem 2 (Relative progress). Let 7 ^ be the counter-example processed in the j-th 
refinement step. Then for all j > 1, | 7 j| < |7j+i|, where \ ■ \ denotes the length of the 
counter-example. In addition, if^j is processed with value k in the while-loop on line^ 
of Alg. ^then the program being analysed has no counter-examples of length less than 
k. 

Proof. Let S{j) denote the multiset from the j-th iteration of Refine. Since abs 5 (j) ^ 
abs 5 (j_|_i), no new counter-examples can appear in the part of the ART that is recom¬ 
puted in the (j -f l)-th step (invariants computed in CSH 5 (j+i) will be at least as strong 
as those in CSH 5 (j)). Since (c) guarantees that the previous counter-example has been 
eliminated, if a new counter-example is found then the corresponding value of k in the 
while-loop will be either the same as in the j-th step or larger. □ 

Theorem 3 (Relative completeness). If the safety property is implied by an induc¬ 
tive invariant expressible in CSHg/or some finite multiset S and assuming that those 
elements would eventually be selected from counter-examples by SelectSymhols then 
Alg.^terminates without throwing an error. 

Proof. Since Alg.[T]proceeds in a breadth-first fashion and counter-examples to safety 
properties are finite, all counter-examples leading to picking elements of S will eventu¬ 
ally be processed, enabling Alg.[T]to compute an invariant in CSHs' for some S' A S. 

□ 

Assumptions (a) and (b) can be satisfied (although for implementation efficiency we 
may choose not to). Assumption (c) is more problematic. 

Forward transfer. Without exactness, a spurious counter-example may never be elimi¬ 
nated, because our analysis refines only the abstraction function. Since separation logic 
analyses effectively calculate strongest post-conditionsj^we in fact have exact forward 
transfer, meaning spurious counter-examples can always be eliminated. 

^ modulo deallocation—although even for that case the forward transfer is tight in actual imple¬ 
mentations. 
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Backward transfer. In our analysis abduction is performed on finite unfoldings of predi¬ 
cates, modulo an arbitrary frame, fixed along the counter-example. As a result, counter¬ 
examples are always expressed as data-structures of a particular size (rather than e.g. 
general lists which could be of any size). This means that counter-examples can be ex¬ 
pressed in the points-to fragment of separation logic, in which optimal solutions are 
possible II 2 I. Thus in principle we can satisfy (b) and make backward transfer precise. 
However, such a complete abductive inference is of exponential complexity since it 
has to consider all aliasing possibilities. In our implementation, we use a polynomial 
heuristic algorithm (similar to 121) which may miss some solutions, but in practice has 
roughly the same cost as frame inference. 

Selecting symbols. Due to its heuristic nature, it is unlikely that our implementation 
of SelectSymbols satishes assumption (c). Furthermore, we are unsure whether it is 
generally possible to construct SelectSymbols that would satisfy (c) for an arbitrary 
parametric domain. While at least in principle we could employ a trivial heuristic which 
enumerates all multisets of symbols, that would be impractical. The problem of picking 
symbols which are certain to eliminate a particular counter-example seems uncomfort¬ 
ably close to selecting predicates for predicate abstraction sufficient to prove a given 
property. Many effective heuristics used in this area are incomplete (in that they may 
fail to hnd an adequate set of predicates when one exists), and there has been only a 
limited progress in characterising complete methods|^Unfortunately, all such complete 
predicate refinement methods rely on interpolation, a luxury which we do not (yet) have 
in separation logic. More work is needed to understand the intrinsic complexity of ways 
for doing refinement in separation logic analyses such as the one proposed in this paper 
in relation to the logical properties of separation logic domains. 

B Details of Other Multiset-Parametric Domains 

Here we give detailed definitions of the two analysis families that we sketched in ^ 

B.l Linked Lists with Address Refinement 

This analysis allows refinement on protecting particular addresses, rather than values. 
We work with the domain of linked lists, which we denote built from plain spatial 
predicates node and list. 

Our abstraction works similarly to the abstraction for plain linked lists ina except 
that it can be refined to preserve nodes at particular addresses. Fig. shows rewrite 
rules realising the abstraction abs^^. The rules are guarded by a finite set of terms T 
representing locations—each rule is enabled only if the spatial object triggering the 
rule is not among the locations in T. 

Lemma 4. CSH^ = {A \ A \f false A A is finite and absl;^^: SH — > CSH^ is a 

sound abstraction. 

^ See Ranjit Jhala, Kenneth L. McMillan. A Practical and Complete Approach to Predicate 
Refinement. In TACAS, 2006, for an instance of such complete predicate refinement method 
(for difference bound arithmetic over the rationals). 
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A * ai(ei,x') * 0 - 2 ( 3 ;', 62 ) A * list(ei, nil) 

if x' ^ EVars(Z\, ei, 62 ) A Z\ h 62 = nil A Vf G T . zl F ei = t 

A * CTi(ei,3:') * 0 - 2 ( 3 ;', 62 ) * 0 - 3 ( 63 ,/) * Iist(ei,e 2 ) * 0 - 3 ( 63 ,/) 

if x' ^ EVars(Z\, 61,62, 63, /) A Z\ h 62 = 63 A Vf G T . Zi F ei = t 

Fig. 5. Abstract reduction system defining the abstraction function abs^. First three rules 

(not shown) are the same as in Fig.In the shown rules, a, at range over {node, list} and the 

data field is elided. 

5 = 0: 

list<(6,/, [a,/3),0) = a < d'</3 A (node(6,/, (d'}) V 

node(6, 3 :', d') * list< ( 3 ;',/, [d',/3), 0)) 

5 = {d}: 

list<(e,/, [a,/3),{d}) = node(6,/, {d}) V 

d = a A node(6, x' , {d}) * list<(a;', /, [d, /3), 0) V 
dj^aAa<d '</3 A node(6, x', d') * list<(a;', /, [d', /3), {d}) 

|5| > l,dG 5: 

list<(6,/, [a,/3), 5) = d = Q A node(6, 3 ;', {d}) * list< (a;',/, [d,/3), 5 \ {d}) V 

d^aAa<d'<j 3 A node(6, 3 ;', d') * list<(3;', /, [d', /3), 5) 

Fig. 6. Recursive definition of the list< predicate in domain 


Lemma 5. IfTiC T 2 then abs^^ ^ abs^^- 

B.2 Sorted Linked Lists with Value Refinement 

Lastly, we present an analysis that works in the domain of sorted linked lists. Our ab¬ 
straction can be refined to preserve particular values in the list, as with the analysis 
described in (Q However, the domain consists of ordered lists segments. 

Domain. The predicate list<(a;, y, [ct, f3), S) holds if x points to a sorted non-empty 
list segment ending with y whose data values are all greater than or equal to a and less 
than ( 5 , and for each d G dom(5), there are at least S{d) nodes in the list with value d. 
Parameters a, /3 and S satisfy the invariant I: Vd G dom(5) .a < d < fi. Sorted lists 
can be split according to the following rule; 

list<(e,/, [a,/3),5) = list<(e,a;', [a, 7 ), 5 n [a, 7 )) * list<(a;',/, [ 7 ,/ 3 ), 5 n [ 7 ,/?)). 

Folding/unfolding rules for exposing/hiding are similar to the rules for list (Fig. 1 ^, but 
in addition keep track of the involved inequalities. New rules for list< are shown in 
Fig. 1^ Note that each rule maintains the invariant I. 

Abstraction. In the abstraction, we proceed similarly as in Fig. |^but also maintain the 
invariant I. Fig. shows rewrite rules corresponding to the fourth rule of Fig. for 
(Ti = tT 2 = node and iji = 0-2 = list<. The rest of the cases for ai are analogous to 
the fourth rule, and the fifth rule of Fig.|^ The resulting abstraction abs^^ satisfies the 
following lemmas: 
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A * node(ei, x', {di}) * node(x', 62, {d2}) 

A * list<(ei, nil, [di,d2 + 1 ), prj,({di, d2},dl)) 
if x' ^ EVars(Z\, ei, 62) A Z\ h 62 = nil 

A * list<(ei,x',[ai,/ 3 i},Si) * list<(x', 62, [q!2, ,02), 52) 

A * list<(ei, nil, [ai,,fl2), prr(Si U 82,!!)) 
if x' ^ EVars(Z\, ei, 62) A h 62 = nil A /?i < 02 

Fig. 7. Selected rules of the abstract reduction system defining the abstraction function absy^ 


Lemma 6. For CSHJ^ = {A \ A false A A abs^^: SH CSH^ is a sound 

abstraction. If the domain of values is finite then CSH!^^ is also finite. 

Lemma 7. IfTiC T 2 then abs^^ ^ abs^^- 

For infinite value domains, the set CSH^^ is infinite since we have infinite ascending 
chains of intervals as parameters to list<. We could recover convergence in such cases 
by using widening on the interval domain ifT^ . 
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